go-mail/smtp/auth_login.go

// SPDX-FileCopyrightText: Copyright (c) 2022-2023 The go-mail Authors
//
// SPDX-License-Identifier: MIT

package smtp

import (
	"errors"
	"fmt"
)

// loginAuth is the type that satisfies the Auth interface for the "SMTP LOGIN" auth
type loginAuth struct {
	username, password string
	host               string
}

const (
	// ServerRespUsername represents the "Username:" response by the SMTP server
	ServerRespUsername = "Username:"

	// ServerRespPassword represents the "Password:" response by the SMTP server
	ServerRespPassword = "Password:"
)

// LoginAuth returns an Auth that implements the LOGIN authentication
// mechanism as it is used by MS Outlook. The Auth works similar to PLAIN
// but instead of sending all in one response, the login is handled within
// 3 steps:
// - Sending AUTH LOGIN (server responds with "Username:")
// - Sending the username (server responds with "Password:")
// - Sending the password (server authenticates)
//
// LoginAuth will only send the credentials if the connection is using TLS
// or is connected to localhost. Otherwise authentication will fail with an
// error, without sending the credentials.
func LoginAuth(username, password, host string) Auth {
	return &loginAuth{username, password, host}
}

func (a *loginAuth) Start(server *ServerInfo) (string, []byte, error) {
	// Must have TLS, or else localhost server.
	// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.
	// In particular, it doesn't matter if the server advertises LOGIN auth.
	// That might just be the attacker saying
	// "it's ok, you can trust me with your password."
	if !server.TLS && !isLocalhost(server.Name) {
		return "", nil, errors.New("unencrypted connection")
	}
	if server.Name != a.host {
		return "", nil, errors.New("wrong host name")
	}
	return "LOGIN", nil, nil
}

func (a *loginAuth) Next(fromServer []byte, more bool) ([]byte, error) {
	if more {
		switch string(fromServer) {
		case ServerRespUsername:
			return []byte(a.username), nil
		case ServerRespPassword:
			return []byte(a.password), nil
		default:
			return nil, fmt.Errorf("unexpected server response: %s", string(fromServer))
		}
	}
	return nil, nil
}
Switched copyright header from me to "The go-mail Authors" 2023-01-15 16:14:19 +01:00			`// SPDX-FileCopyrightText: Copyright (c) 2022-2023 The go-mail Authors`
#24: Add SPDX license IDs for REUSE compliance # SUMMARY * Bad licenses: * Deprecated licenses: * Licenses without file extension: * Missing licenses: * Unused licenses: * Used licenses: CC0-1.0, MIT * Read errors: 0 * Files with copyright information: 45 / 45 * Files with license information: 45 / 45 Congratulations! Your project is compliant with version 3.0 of the REUSE Specification :-) 2022-06-17 15:05:54 +02:00			`//`
			`// SPDX-License-Identifier: MIT`

Fork net/smpt into go-mail As part of #97 we are going to fork the official `net/smtp` package into go-mail to provide us with more flexibility. This commit fulfills the first big step of importing the package into smtp/. Also go-mail's own LoginAuth has been moved from auth/ into smtp/ to be consistent with the stdlib. There are still a couple of open issues (i. e. license adjustments and making golangci-lint happy) but so far all tests already work, which is a good start. 2023-01-10 00:38:42 +01:00			`package smtp`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00
			`import (`
			`"errors"`
			`"fmt"`
			`)`

Fork net/smpt into go-mail As part of #97 we are going to fork the official `net/smtp` package into go-mail to provide us with more flexibility. This commit fulfills the first big step of importing the package into smtp/. Also go-mail's own LoginAuth has been moved from auth/ into smtp/ to be consistent with the stdlib. There are still a couple of open issues (i. e. license adjustments and making golangci-lint happy) but so far all tests already work, which is a good start. 2023-01-10 00:38:42 +01:00			`// loginAuth is the type that satisfies the Auth interface for the "SMTP LOGIN" auth`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`type loginAuth struct {`
			`username, password string`
			`host string`
			`}`

			`const (`
			`// ServerRespUsername represents the "Username:" response by the SMTP server`
			`ServerRespUsername = "Username:"`

			`// ServerRespPassword represents the "Password:" response by the SMTP server`
			`ServerRespPassword = "Password:"`
			`)`

			`// LoginAuth returns an Auth that implements the LOGIN authentication`
			`// mechanism as it is used by MS Outlook. The Auth works similar to PLAIN`
			`// but instead of sending all in one response, the login is handled within`
			`// 3 steps:`
			`// - Sending AUTH LOGIN (server responds with "Username:")`
			`// - Sending the username (server responds with "Password:")`
			`// - Sending the password (server authenticates)`
			`//`
			`// LoginAuth will only send the credentials if the connection is using TLS`
			`// or is connected to localhost. Otherwise authentication will fail with an`
			`// error, without sending the credentials.`
Fork net/smpt into go-mail As part of #97 we are going to fork the official `net/smtp` package into go-mail to provide us with more flexibility. This commit fulfills the first big step of importing the package into smtp/. Also go-mail's own LoginAuth has been moved from auth/ into smtp/ to be consistent with the stdlib. There are still a couple of open issues (i. e. license adjustments and making golangci-lint happy) but so far all tests already work, which is a good start. 2023-01-10 00:38:42 +01:00			`func LoginAuth(username, password, host string) Auth {`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`return &loginAuth{username, password, host}`
			`}`

Fork net/smpt into go-mail As part of #97 we are going to fork the official `net/smtp` package into go-mail to provide us with more flexibility. This commit fulfills the first big step of importing the package into smtp/. Also go-mail's own LoginAuth has been moved from auth/ into smtp/ to be consistent with the stdlib. There are still a couple of open issues (i. e. license adjustments and making golangci-lint happy) but so far all tests already work, which is a good start. 2023-01-10 00:38:42 +01:00			`func (a loginAuth) Start(server ServerInfo) (string, []byte, error) {`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`// Must have TLS, or else localhost server.`
			`// Note: If TLS is not true, then we can't trust ANYTHING in ServerInfo.`
			`// In particular, it doesn't matter if the server advertises LOGIN auth.`
			`// That might just be the attacker saying`
			`// "it's ok, you can trust me with your password."`
			`if !server.TLS && !isLocalhost(server.Name) {`
			`return "", nil, errors.New("unencrypted connection")`
			`}`
			`if server.Name != a.host {`
			`return "", nil, errors.New("wrong host name")`
			`}`
			`return "LOGIN", nil, nil`
			`}`

			`func (a *loginAuth) Next(fromServer []byte, more bool) ([]byte, error) {`
			`if more {`
			`switch string(fromServer) {`
			`case ServerRespUsername:`
			`return []byte(a.username), nil`
			`case ServerRespPassword:`
			`return []byte(a.password), nil`
Fix SMTP AUTH LOGIN method for servers with uncommon success messages This fixes #94 and basically reverts d0f0435. As James points out correctly in #94, we should not assume specific responses from the server. As long as the spec is followed and the server returns the correct SMTP code, we should not do our own magic. I've also extended the `getTestConnection` method in client_test.go, so that we can specify more test environment options like `TEST_PORT` and `TEST_TLS_SKIP_VERIFY`. This was needed for testing with the ProtonMail Bridge which listens on a different port and has non-trusted certificates. 2023-01-07 11:31:46 +01:00			`default:`
			`return nil, fmt.Errorf("unexpected server response: %s", string(fromServer))`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`}`
			`}`
Fix SMTP AUTH LOGIN method for servers with uncommon success messages This fixes #94 and basically reverts d0f0435. As James points out correctly in #94, we should not assume specific responses from the server. As long as the spec is followed and the server returns the correct SMTP code, we should not do our own magic. I've also extended the `getTestConnection` method in client_test.go, so that we can specify more test environment options like `TEST_PORT` and `TEST_TLS_SKIP_VERIFY`. This was needed for testing with the ProtonMail Bridge which listens on a different port and has non-trusted certificates. 2023-01-07 11:31:46 +01:00			`return nil, nil`
Some progress was made: - Implemented proper AUTH LOGIN mechanism - Implemented msgWriter for handling io - Implemented proper mail header formatting/output - Minor refactoring 2022-03-12 15:10:01 +01:00			`}`